First, Audit The Assets
As the saying goes, you can't manage what you don't know. Clich or not, it is certainly apt when it comes to describing the compliance landscape.
Solution providers angling for a piece of the $29.9 billion that will be spent on compliance this year, by AMR Research's estimate, have no shortage of products to choose from. Forrester Research counts as many as 500 software vendors that offer compliance applications, covering the gamut from risk assessment to e-discovery. But there is no such thing as a complete compliance solution.
There is one common starting point for the many-legged compliance beast, though—an audit of a company's assets. As such, for this Solutions That Work, the CRN Test Center decided to pull together a flexible, easy-to-manage compliance audit solution.
While a sound asset management process is critical in its own right, it also is the backbone of any compliance engagement, solution providers say. Rather than wasting energy on ad hoc solutions for meeting specific regulations, companies are finding that implementing best IT practices for asset management will quite naturally resolve many compliance issues, or lay the groundwork for the resolution of specific issues.
Fortress Network Security, a Louisville, Ky., solution provider, always starts with an asset inventory before developing a security controls solution, said Mike Meyer, security project manager at Fortress. "A network auditing tool cuts down on the time required to gain an understanding of the customer's network," he said.
Asset protection covers myriad functions, from tracking equipment, to ensuring only authorized users have access to assets, to checking software licenses, to patching security vulnerabilities. There are a number of tools that do the job. While CA has its Unicenter family of products, IBM is organizing its Tivoli product family into a comprehensive Compliance Framework and Hewlett-Packard provides its OpenView Configuration Management Inventory Manager.
Besides the platform vendors, BigFix, PatchLink and Shavlik offer patch management suites. Altris has two products: Asset Management Suite and Security Expressions patch management software. Layton Technology's Audit Wizard also has automatic network discovery and can collect asset, user, hardware and software details as well as identify installed applications on Windows machines.
For this audit solution, we chose CA's Unicenter products: Unicenter Asset Management, Unicenter Patch Management and CA Configuration Management Database. A unified approach like CA's solution makes deployment easier and monitoring straightforward.
Next: Step 1: Create An Inventory
Step 1: Create An Inventory
A company can't discuss fixes or whether it's compliant with a certain regulation if it doesn't even know what its current state is. So taking a complete inventory is the first step.
"Typically, we will find that when we go into the network, regardless of how good their team is, there's not a good picture of what's in place," Meyer said.
That's where an automated tool like CA's Unicenter Asset Management comes in. Many compliance regulations require that an organization document and track data through various systems before the data appears in a report. Sarbanes-Oxley, for example, requires IT to be able to trace financial figures to the systems and software that collected and calculated them. An intensive, top-down audit of everything that keeps the organization humming—servers, switches, software—is essential to get on the compliance track.
The information collection has to happen at the top. A lot of the information is already being collected on an ad hoc basis, but there needs to be a formalized process. "Most assuredly there are spreadsheets all around already, but who is doing the collecting? Who has them?" said Jonah Paransky, vice president of marketing at Revive Systems, a Vienna, Va., developer of preproduction staging and analysis platforms.
Unicenter Asset Management can be used to discover, manage and document all the IT assets in the organization. Administrators can populate the application's data repository in a variety of ways, such as auto-discovery or writing scripts to deploy agents to the machines on the network. There's also an add-on ETL module used to massage existing data into the format that Asset Management will accept.
The auto-discovery feature is easy and thorough. With the help of a wizard, solution providers specify a range within the subnet to scan, and the appliance checks the network to detect all devices with an IP address that fall within the range. As each device is discovered, applications and their components are also discovered. Different versions and deliveries of the software, such as an enterprise vs. a standard edition of a program, are added to the repository. It can also discover PDAs and SAN devices.
It is also important that Unicenter Asset Management scan the network periodically to check for devices such as a laptop that was off during the previous scan and to record missing or moved devices. Once changes are recorded, Unicenter Asset Management can produce discrepancy reports.
Unicenter Asset Management's grouping wizard is so easy to use that it may cause more chaos than order. The wizard creates collections and arranges devices based on logical, geographical or organizational constraints. A group, for example, may include all the switches, servers, UPSes and storage drives used by an accounting department. But too many groups can make the collections more confusing than helpful if you're not careful.
Software management is also included. CA, Islandia, N.Y., has a team that maintains an up-to-date software signature database that can recognize thousands of versions of software. Unicenter Asset Management can also correlate all discovered software with their licenses in the data repository and can even differentiate between paid licenses and trial versions.
The Web-based monitoring console also gives solution providers the ability to check the Unicenter Asset Management console remotely.
Next: Step 2: Identify The Gaps
Step 2: Identify The Gaps
With a complete inventory in hand, solution providers or administrators can attempt to reconcile procurement orders and other inventory lists with actual devices and applications on the network. "IT teams get pulled in different directions," Meyer said. "Things don't always get updated."
Perhaps the audit revealed the existence of three servers that no one seems to know anything about. Or that a router is missing. Perhaps the servers were the result of an ordering error and the missing router broke and had been replaced. Procurement orders may indicate several switches that didn't make it into the repository. Some legwork may result in the discovery of a box of switches in the back of a closet everyone had forgotten about.
Now that the gaps have been identified, solution providers can act accordingly to eliminate redundant equipment, secure new devices and reconcile software licenses with installed copies.
More importantly, since a user's name, location and usage amounts are tracked for each application, if a user shows zero usage for a particular application, the license can be allocated to another user. That not only saves a client money, but guards against users having unauthorized access to an application, which is a big issue for compliance auditors.
Next: Step 3: Understand The Assets
Step 3: Understand The Assets
An inventory list, no matter how comprehensive, becomes out of date the instant something changes. Integrating the device repository with a configuration management system ensures the list of assets is always current.
Since regulations such as Sarbanes-Oxley require organizations to keep track of and document network changes, that task becomes easy with CA's Configuration Management Database (CMDB), which maintains an audit trail of all changes and updates the changes in a flow diagram.
What CMDB does is take the device information in the Unicenter Asset Management repository and define relationships among the assets. The IT team can interrelate hardware with software and tie them to a business process within a pictorial layout.
As such, CMDB can show how information flows from server to switch to router. In an e-commerce environment, for example, the Web server, database, transaction processing application and credit card reporting application are all part of the process. CMDB can define relationships based on dependencies, minimizing the manual work.
The application ships with more than 100 different relationship types, groupings and categories, and managers can also create new types using a wizard. That allows managers to look at the interdependencies between devices and make sure the interfaces are working properly. Relationship definitions can be imported from multivendor data sources using XML and from spreadsheet or another database.
Another benefit is that CMDB can discover technology overlaps. One such overlap would be if an organization already had a function for matching invoice forms with the purchase order, something that ERP systems can do automatically. Another redundancy would be the case of extra hardware assigned to a particular group. Does the engineering group really need four printers?
If a manager decides to remove equipment or make changes to a configuration, CMDB will record the change and analyze the impact on related devices, which helps managers assess impacts before an outage occurs.
Next: Step 4: Keep Assets Up-To-Date
Step 4: Keep Assets Up-To-Date
Between CMDB and Unicenter Asset Management, new hardware, new or upgraded software and refreshed license keys are logged and tracked via an electronic paper trail. However, in this day and age of sophisticated security attacks, it's not enough to just track product versions and equipment. A proactive solution provider needs to stay current with patches. Enter another member of the Unicenter family—Unicenter Patch Management.
Unicenter Patch Management has an easy-to-use, task-oriented user interface, which combines with a Web-based reporting portal to administer the patch management process. The functions are wizard-driven and driven by device and user policies.
The solution provider decides which patches would be deployed on which systems, and Unicenter Patch Management conducts a formal patch-testing phase to assess the patch's impact against the system configuration. After testing, the packaging and deployment are handled automatically—either on a schedule or immediately. The system ensures that pre- and post-requisites, dependencies and roll-up structures are applied.
Detailed reports indicate which systems have been patched, when and by whom. Workflows also reflect which patches have not yet been installed. Unicenter Patch Management continuously monitors for patch-level compliance, reports on noncompliance and can automatically re-deploy patches based on defined policy. Managers know what assets there are, and their current state, making compliance easier.
A unified platform like CA's makes deployment easier, but solution providers will still most likely need to rely on a variety of tools. For example, while IBM is touting its compliance framework, Micro Strategies, a Denville, N.J.-based IBM partner, combines Interwoven and IBM Tivoli products in order to create a complete compliance solution.
Whatever tools are used, compliance begins with a sound asset management system. For the same reasons, best practices can also begin with compliance. As Robert Stroud, an IT service management and IT governance evangelist at CA, put it: "Compliance moves the organization from chaos to a controlled state in a step-by-step process."